blob: d1e2fdf3e9810d639b0d316d67cfd11a22df0e6a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
From 6b1eec0630516698ac9cd3343ef7eb8515fee231 Mon Sep 17 00:00:00 2001
From: Jakub Adam <jakub.adam@collabora.com>
Date: Thu, 3 Jan 2019 21:26:41 +0100
Subject: [PATCH] udp-turn: Avoid potential integer overflow
---
socket/udp-turn.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/socket/udp-turn.c b/socket/udp-turn.c
index 1bc5e031..c3b152d1 100644
--- a/socket/udp-turn.c
+++ b/socket/udp-turn.c
@@ -362,7 +362,7 @@ socket_recv_messages (NiceSocket *sock,
guint f_buffer_len = priv->fragment_buffer->len;
for (i = 0; i < n_recv_messages && f_buffer_len >= sizeof (guint16); ++i) {
- guint16 msg_len = ((f_buffer[0] << 8) | f_buffer[1]) + sizeof (guint16);
+ guint32 msg_len = ((f_buffer[0] << 8) | f_buffer[1]) + sizeof (guint16);
if (msg_len > f_buffer_len) {
/* The next message in the buffer isn't complete yet. Wait for more
@@ -450,7 +450,7 @@ socket_recv_messages (NiceSocket *sock,
if (nice_socket_is_reliable (sock) && parsed_buffer_length > 0) {
/* Determine the portion of the current NiceInputMessage we can already
* return. */
- guint16 msg_len = 0;
+ gint32 msg_len = 0;
if (!priv->fragment_buffer) {
msg_len = ((buffer[0] << 8) | buffer[1]) + sizeof (guint16);
if (msg_len > parsed_buffer_length) {
|